In short, you’re paying for the trust, not the actual encryption. Anyone with the appropriate software, which is widely available for free, can create their own certificate that provides encryption. However, using such a certificate will generate a browser warning when a user tries to create a secure connection. The warning will say something to the effect that “the connection is not trusted.” If you want to avoid the warning it costs something between $50 and $500. But there’s a justification.
When you purchase a certificate you must perform some additional steps besides those to create a self-signed certificate. These steps help you demonstrate who you are. For example, it may require that you prove you can receive email at the domain you’re security, prove that you own the domain, talk to a person or use an automated system that calls you to verify your phone number and identity or even fax business verification documents.
Once you’ve performed the steps necessary to show that you are who you say you are you receive an SSL certificate. Of course you also have to pay money.
I’m not really in agreement that the fees associated with an SSL certificate are justified. The cost of verifying an organization that is purchasing a certificate are pretty much static and don’t vary depending on the number of servers they have. Yet you buy the certificates by the server. If it costs $50 to verify an organization and that’s how much they charge for one certificate and a businesses purchases 10 then you’ve got yourself a pretty good margin. If you don’t believe me, ask Mark Shuttleworth. I shouldn’t complain because his success at selling SSL certificates pays my salary. π
